configuring sshd with pub keys problem

[likid000]

hy people,

all the servers are sles8 with the lastest version of sshd from you.

I have a problem with sshd autentication with public keys, the thing is i need to use scp in scripts without being asked for passwords thats why i am using pub keys,
in our development machines(i am the admin) i have used pub keys with out problem, but now in produciton servers(im not the admin) its not working, it asks all the time for password input, the thing is i only have a normal user in the 2 production boxes and this is what i have done:

created a key pair:
ssh-keygen -t rsa

.ssh]$ ls
id_rsa id_rsa.pub

lauched:
ssh-copy-id -i id_rsa.pub bebe@172.29.xx.xx

and checked in the other machine the authorized_keys was created:

/.ssh> more authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAo5SbiJdj4Njmwwa3Tz9ozK pgMbNywR7+FmEDlxXk2+XC
ec/kVWYfzK6/Ig2CzFkybTbLq2K2Gwb6L8uQ4v8rGgS1ZRdi9YonEaP0CUfODg gXZ6EgYXdIrGvh6dIh
UCIa1u+QA7qFWvpdH2H7ub9GdK+= bebe @x.x.x.x

then ssh to the machine bebe@172.29.xx.xx
and it asks for a password all the time, this procedure works perfect in my machines, but not in production and i cant talk with the admins.

so i was looking for places you could block public key authetication, i have looked in sshd_config and pub auth is on:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

the pam sshd config is like this:

/etc/pam.d> more sshd
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=10 reset no_magic_root
account required pam_unix2.so
account required pam_nologin.so
account required pam_laus.so detach
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
session optional pam_laus.so



So i have a couple of questions where can you block pub auth for ssh apart from sshd_Config?? any ideas??

Is there another way of moving files from one machine to another without beeing asked for passwords(or the password can go in the script)???, cant use nfs or install anything strange in the machine any idea???

Help needed


THNXX!!







/pam.d> more sshd
#%PAM-1.0
auth required pam_unix2.so # set_secrpc
auth required pam_nologin.so
auth required pam_env.so
auth required /lib/security/pam_tally.so onerr=fail no_magic_root
account required /lib/security/pam_tally.so deny=10 reset no_magic_root
account required pam_unix2.so
account required pam_nologin.so
account required pam_laus.so detach
password required pam_pwcheck.so
password required pam_unix2.so use_first_pass use_authtok
session required pam_unix2.so none
session required pam_limits.so
session optional pam_laus.so

[DThor]

ssh should be the way to go, for security and convenience.

As far as your problem - you don't mention it so I'll bring it up - you've verified that the private key is owned by the same user and the permissions are correct(rw *only* by user)? I know that's what ssh-copy-id is supposed to handle, but I'm wondering if differing userids might be at the root of this.

DT

[likid000]

thnx for tha answer, the perms look ok have a look:

bebe@EMAMEL506PRU:~/.ssh> ls -l
total 4
-rw------- 1 bebe spresogp 232 mar 3 11:13 authorized_keys


but what i have seen is when i log on is not accessing the .ssh directory:

i do a ls -lua to the .ssh dir and it doesnt get modified whe i log on :$$


i cant seen to see what the prob is.

[DThor]

OK, next step is to try using the -v param with ssh - verbose login. It steps through the login process and will say when it doesn't find files/keys/auth.

ssh -v remotesystem

Best to approach this methodically rather than assume something is blocked.

DT

[likid000]

thnx for the -v tip:

What i get related to pubkey is this:

27864: debug1: authentications that can continue: publickey,password
27864: debug1: next auth method to try is publickey
27864: debug1: try privkey: /home/bebe/.ssh/identity
27864: debug1: try pubkey: /home/bebe/.ssh/id_rsa
27864: debug1: authentications that can continue: publickey,password
27864: debug1: try privkey: /home/bebe/.ssh/id_dsa
27864: debug1: next auth method to try is password
bebe@emamel506pru's password:


but i cant w0rk out whats the prob here?? why doesnt it like the pubkey auth??

[DThor]

That's a very good question. I'm starting to run out of ideas this end. At least you know it's unlikely anything external to ssh is somehow blocking stuff -it's talking, it's finding the key, and it's failing and moving on, as it should.

Every time this sort of thing has happened to me in the past, it's been an oopsie on my part, either an oversight or just plain screwup. Personally, I would rename all .ssh directories both ends and just start from scratch - this time doing it *manually* by creating keys and not using the ssh-copy-id util(it should work, but I'm just trying to minimize variables).

Other potential issues could be different versions of ssh - you mention sles8 which is somewhat old right now. I'm wondering if the version there isn't compatible with the other versions you're running? Once you've determined the versions everywhere, you might want to google that aspect. I seem to recall all sorts of yammering about the open-ssh and the commercial version having patent issues, seems to have forked properly now. Anyway, FWIW, check out these two pages - ignore the cygwin aspect of one of them for windows - they both talk about mixing and matching ssh, open-ssh, and different, more manual approachs to the setup.

http://www.mines.edu/~gmurray/HowTo/sshNotes.html
http://www.arches.uga.edu/~pkeck/ssh/

Good luck!

DT

[EDIT] - Silly question - the userid is the same on both systems, right? If they're different, you *cannot* use keys - you'll need to use keyboard-password.

[likid000]

just to test out i tried out using pubkey the otherway round, before i was triying from box 1 to 2 now i have tried 2 to 1 and it works ok! :***, but i need it the other way round, but its so strange i dont understand, i have reviewd all the config files ssh_config, sshd_config and /etc/pam.d/ssh and the only diference is in sshd_config in machine 2 it has #protocol 2 only, but that should make no diferrence because when i connect from 2 to 1 i use protocol 2 to connect with no probs, so the mistery cotinues....

25036: debug1: authentications that can continue: publickey,password
25036: debug1: next auth method to try is publickey
25036: debug1: try privkey: /interfaces_mqgp/.ssh/identity
25036: debug1: try pubkey: /interfaces_mqgp/.ssh/id_rsa
25036: debug1: input_userauth_pk_ok: pkalg ssh-rsa blen 149 lastkey 0x8095730 hint 1
25036: debug1: read PEM private key done: type RSA
25036: debug1: ssh-userauth2 successful: method publickey
25036: debug1: channel 0: new [client-session]

it Worked! but the other way round ;D


Thnx for your help.

[DThor]

Did you compare the versions of ssh? It's possible one is significantly behind the other - one is backward compatible, the other isn't forward compatible. Could be the type of encryption.

DT